January 2019 - Fractional CISO

WiFi Pineapple: Can Still Compromise Your Network in 2019

January 30, 2019

Suppose you see a few people in a rented car, parked across a street at a hotel, next to an office.

Does this sound suspicious to you at all? Not at all! Right?

In a real-life version of this story, those people were attempting to perform a cyber-attack on the Organization for the Prevention of Chemical Weapons (OPCW). According to reporting on the incident, Dutch law enforcement foiled their attempts when they discovered their ‘weaponized’ car with long-range high-gain WiFi antennas, battery backup, and power inverter and something that looked to be a WiFi Pineapple kit.

Such “close access” attacks on WiFi networks are well known in the cybersecurity world, as an established technique for penetrating a target. The news of the Dutch attack validates that the threat is real. The WiFi Pineapple just makes it easy to target WiFi access points, as well as employee’s WiFi-enabled devices.

WiFi Pineapple: It’s Not a Fruit

The “WiFi” Pineapple is a pen testing tool, originally created in order to allow IT professionals to test the vulnerability of their networks. They can be used to de-authenticate and spoof a legitimate network, forcing employees to connect to this fake network. Once connected, the attacker can target the local device on the fake network, to exploit it and gain access to its data. This device can be set up as a rogue wireless access point within minutes, ready for attack.

WiFi is Inherently Flawed

A WiFi operation relies on trust, especially in terms of the validity of the source and destination addresses. That is exactly what is leveraged to spoof values and carry out attacks. WiFi obviously presents more challenges than the traditional wired networks, due to the easy accessibility of the signals. The Access Point (AP) generates radio waves traveling through walls and windows, and these waves can be picked up by someone sitting outside in a parking lot!

Any time you connect to a WiFi network from your phone or computer, your device saves that network’s SSID. Remember the auto-connect feature that your phones and laptops have that allows your device to connect to that SSID automatically? It comes at a major cost.

For example, say you connected to the airport WiFi called- ‘Airport WiFi’. After you’ve left the airport, your device will broadcast a signal asking if WiFi access points around the device are ‘Airport WiFi’. Your device does this for any network you’ve connected to in the past.

WiFi Pineapples take advantage of this feature by scanning for all the SSIDs being broadcast by devices in its vicinity. It then rebroadcasts these SSIDs to trick devices into thinking it is an access point that has been connected to in the past. The WiFi Pineapple sees your device asking, “is this network ‘Airport WiFi’?” And then starts broadcasting its own signal that says “Yes, I am ‘Airport WiFi’, connect to me.”

WiFi Pineapple is Not That Difficult

The WiFi Pineapple is available to anyone on Hak5’s website at the price of $99.99. It will be delivered to you within a week’s time and setting up the device takes about fifteen minutes. Downloadable modules and plugins are available for free. Operating this device to launch a basic attack takes minimal formal training or knowledge. To test it out, I tried to launch a basic coffee shop attack. The goal was to capture the login credentials of the victim.

Demonstrating the Basic Coffee Shop Attack

A while ago, obtaining someone’s login credentials was a piece of cake. All that was required was the SSLsplit module. You can find videos on YouTube from 2013-2014, where you can see how easy it was to capture literally any login credentials.

Now, it’s harder, since browsers have adapted HSTS (HTTP Strict Transport Security) to protect websites against downgrade attacks. They also warn users when the site is not secure.

These measures have made attacks like a WiFi Pineapple gambit difficult, but not impossible.

While SSLSplit is pretty much useless now, it is still possible to obtain credentials by first launching a de-authentication attack. This forces the user to go through a captive portal where the attacker will be sitting with their ears on the door.
With two easy steps using two free modules, the attacker can grab your credentials.
1. Deauth- With one click, the WiFi Pineapple can launch a de-authentication attack on clients connected to nearby APs.

Or if you want to kick off all the clients from a particular AP, you can do that too.

2. Evilportal- This is a trap that lets users ‘authenticate’ themselves to connect to the WiFi network.

After de-authenticating, the next step is to direct the victim to the login portal. Creating the login portal was easy, as there are several codebases available online, even ones that are specially designed to be ‘evil portals.’

The login portal I created looks like this-

Once the victim entered their credentials, I was able to capture it in a log file-

Step 2 can also be done using another module, PortAuth, which is basically a clone of captive portals and acts as a payload distributor for the WiFi Pineapple.

PortAuth allows the users of the WiFi Pineapple to easily spoof captive portals and regular websites, capture credentials and system information, and delivers payloads to targets.

This has just scratched the surface of what’s happening around these sorts of technologies. With more training and deeper knowledge of the modules and attacks, the WiFi Pineapple is capable of so much more. It can generate fake certificates, in case anyone needs an extra touch of authenticity. It can also be used to inject raw frames and capture WPA handshakes.

The attacker doesn’t even have to know your SSID! The WiFi Pineapple can collect this information by collecting leaking SSIDs from the potential clients. They are added to the SSID pool and are used to spoof networks and trick devices into connecting to malicious networks.

A WiFi Pineapple Coffee Shop Attack Can Happen to Your Organization

We’ve become alarmingly accustomed to connecting to random wireless access points while we’re out and about. From a security standpoint, that’s a problem.

When the average person at the airport waiting for a flight sees SSID names like ‘Free Airport WiFi’, what are they going to do? Assume it’s an attacker’s honeypot and steer clear of it, or believe it’s free airport WiFi and dive right in? Exactly. Too often, they’re not cautious – with big consequences.

Your company employs a number of employees, including software engineers and others who have a high level of access to the company’s infrastructure. You might also allow BYOD and working from home. It is very much possible that one of these people falls for an attack like this, putting not only their devices, but the whole network at risk.

How to Defend Against the Malicious WiFi Pineapple

Luckily, there are some simple practices you could follow as an individual to protect yourself from getting pwned by a WiFi Pineapple:

Beware of public WiFi! This goes without saying: only connect to WiFi networks you know and trust. Do not conduct sensitive business, banking or health care-related activities over public WiFi.
Use a VPN. if you absolutely must connect to a public WiFi, USE A VPN! It is your best bet when it comes to surfing the net securely. A VPN will encrypt your data before routing it to its destination, so even if the attacker is able to see that your device is connected to their WiFi Pineapple, since you are using a VPN, they will not be able to see the data that is being routed.
Connect to HTTPS only. Most websites that you visit on a regular basis that have sensitive information on them have switched from HTTP to HTTPS. So, if you type just the website’s domain name, you will be directed to the secure HTTPS site. The bad news is, too may websites do not use HTTPS and can leave you open to a WiFi Pineapple attack. So, the best way to stay safe is to check for HTTPS and use a VPN.
Whenever you are done using public WiFi, make sure that you configure your devices to ‘forget’ that network. This way, since your device won’t constantly broadcast the SSIDs of the networks it has connected to in the past, the WiFi Pineapple won’t spoof the SSID and trick your device into connecting to it.
Keep your WiFi functionality turned off when you are not using it, don’t allow your devices to automatically connect to open WiFi networks.
Be vigilant about your network settings and surroundings. You can’t be connected to ‘Airport WiFi’ if you are sitting at home. Be skeptical of network names like ‘Free WiFi’ and network names for common hotel chains and other franchises.
Verify that the SSL certificate for the website is genuine and was issued to the company to which you are connecting.
If you can, just use a wired connection.

If you are the Server Admin or IT Administrator, here are some precautionary measures you could take to prevent your organization from being duped by WiFi Pineapple’s malicious attacks:

Install a Wireless Intrusion Prevention System (WIPS) on your network. It will keep an eye out for Evil Twins and Client Deauths 24/7 and will automatically detect and neutralize WiFi Pineapple attacks for you.
Update your WiFi routers, access points and client devices to patch unknown vulnerabilities.
Use HSTS. This policy forces all server responses to pass through HTTPS connections instead of plain text HTTP. This will ensure that the entire channel is encrypted before data is sent.

Next Steps

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Cybersecurity Breach Bankruptcy: It Does Happen

January 23, 2019

“Companies don’t go out of business due to a cybersecurity breach,” say several well-versed cybersecurity experts. When I give them counter-examples to disprove their point, they list it as an aberration.

Here’s a less catchy but more accurate statement: “Large companies usually don’t go out of business due to a large cybersecurity breach. They can often get by with their CEO, CIO, and/or CISO getting fired. Medium and small companies can go out of business or go bankrupt due to a cybersecurity breach.”

This article aims to explore some of the examples of bankrupt and out-of-business companies that were brought down by cybersecurity breaches. It is difficult to trace all bankruptcies to solely cybersecurity. Our standard for this article is that in the cases that we list, the breach significantly contributed to bankruptcy or led the company to cease operations.

Large Company Cybersecurity Breaches

We don’t need another article going over the Equifax, Marriott or Target breaches. For Equifax and Target, their CEO and CIO both left. Perhaps the only reason that Target is still in business following a breach affecting so many consumers that Target was so big to begin with! Target paid over $200 million for breach remediation with their insurance company paying the remaining $90 million.

Cybersecurity Breach Bankruptcy from Intellectual Property Cyber Theft

Having your intellectual property (IP) stolen can be a recipe for Chapter 11. Here are three businesses whose failures can be directly tied to an intellectual property breach. IP can lead to cybersecurity breach bankruptcy for even large enterprises.

There’s Westinghouse Nuclear, who had trade secrets and confidential communications from senior executives stolen by Chinese hackers. From the U.S. Justice Department indictment, “… [Wang] Sun[, alleged Chinese attacker,] stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings.”

China has over 40% of the nuclear power plants that are planned to come online in 2019 or 2020. Instead of contracting with Westinghouse Nuclear, they took some of its key technology to be able to build the plants themselves.

Westinghouse Nuclear went bankrupt in large part because they lost their competitive advantage due to IP theft.

Nortel Networks met a similar fate. After being compromised for nearly a decade, the Canadian telecommunications giant filed for bankruptcy. Huawei, the Chinese telecommunications company, largely benefited from Nortel IP which let it sell similar products for much lower prices.

Another example is SolarWorld, a leader in solar panel production until the theft of intellectual property led to bankruptcy, in 2017. The U.S. Justice Department indictment stated that China “stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications…”

The moral of the story is that if you are a large enterprise then you can go bankrupt through IP theft by China.

Securing Cryptocurrency Exchanges

Another category of businesses that have gone under are cryptocurrency exchanges. When an exchange fails to protect the cryptocurrency it is holding, the exchange can go out of business in short order. There are no failsafe measures with cryptocurrencies. When funds are stolen, they cannot be pulled back, like an ACH transfer might allow.

Mt. Gox, the one-time leading cryptocurrency exchange, was hacked in 2014, leading to its insolvency. It lost hundreds of millions of dollars worth of Bitcoins.

Then there’s the tale of YouBit – a South Korean exchange that found itself under the gun after an attack that some believe came from the democracy’s northern neighbor compromised 17% of the exchange’s total assets. After the second attack, it didn’t take long for Youbit to declare bankruptcy.

There is a fair chance that a cryptocurrency exchange could be hacked into bankruptcy!

Former Employee Threat Causing Cybersecurity Breach Bankruptcy

What about attacks from disgruntled former employees? That’s what happened at MyBizHomepage when, according to New York Times reports, the recently fired CTO began a cyber-attack on his former employer. The ex-CTO had built multiple “backdoor” entrances to the company’s software and used them to compromise the company’s software.

Protecting your organization from insiders and former insiders can be the difference for some companies that remain in business.

Wire Transfer Fraud into Cybersecurity Breach Bankruptcy

Wire transfer fraud is another real danger when it comes to data-breach-induced financial problems. In 2010, Little and King, LLC filed bankruptcy due to a loss of $164,000 in an online banking interface. The culprit? Wire transfer fraud – with actors conducting an elaborate round-robin money transfer system, and leaving the firm holding the bag. Eventually, with the help of some of the parties targeted for participation, law enforcement caught up to the problem- Little and King, LLC had a system that had been infected with the ZeuS Trojan, a malware that criminals have used in prior bank heists to make off with the cash while keeping the victim offline as documented by Krebs on Security.

We would suspect there are many other companies in this sort of situation – sitting ducks for people who are able to pull off digital currency and digital finance manipulations that simply ‘break money out of its cage.’ It’s a scary concept, and one that boards and executives should think about very carefully. In this day and age, when there’s so much questioning about money laundering, fraud, breaches and other issues, the financial world is going to have to batten down the hatches against intellectual property theft and other types of cyberattack.

When a Company Becomes “Collateral Damage”

Too often, firms end up becoming collateral damage from big headline events. For example, in 2015, Reuters reported that a company called Altegrity Risk International (ARI) filed for Chapter 11 bankruptcy after the U.S. government terminated two major contracts with them following a security intrusion said to be “state-sponsored”. ARI was responsible for the background checks on whistleblower Edward Snowden as well as Navy Yard shooter Aaron Alexis.

This is a textbook example of how a loss of reputation and a hit to a company’s services leaves a trail of devastation after a data breach or similar cybersecurity fiasco. It’s not unusual for a whole firm to become toast in these sorts of scenarios. This is a case of the Snowden insider threat undoing a company only tangentially related.

Here’s another example where a hack by an executive led to bankruptcy – the story of One World Labs in 2015 shows that even though there were no actual law enforcement actions against the company or its founder at the time of collapse, the critical mass of negative news was enough to shutter the company and again, leave it financially stranded as “collateral damage.” The CEO claimed with some credibility that he hacked an airplane. That hack did not have the desired effect, but it did bring down his company!

IT Vulnerabilities – Dangerous Obsolescence

Sometimes experts looking at a bankruptcy or collapse after the fact are astonished at the primitive nature of the IT systems of big and powerful firms. This is prominent in the case of Mossak Fonseca, the law office at the heart of the ‘Panama Papers’ debacle in 2016.

A Wired article looking into the state of Internet facing infrastructure at Mossak Fonseca found that the law firm’s front end computer systems were, in the words of Wired writers Matt Burgess and James Templeton, “riddled with security flaws”.

The company was using very outdated technologies and had failed to update its Outlook Web Access login. At the time, the company’s portal had at least 25 vulnerabilities including several high-risk ones.

You can imagine high-powered executives simply overlooking these sorts of problems as details, while chasing bigger and bigger profits – but you can also imagine the devastating consequences of this, and the regret that comes later as outsiders start looking into woefully insufficient IT systems.

Ransomware: “Pirates” on the Net

Among the bankruptcy-inducing cyberthreats that are out there, we shouldn’t forget about ransomware, which features prominently in the story of promotional company, Colorado Timberline.

This case happened just last year, with Promo Marketing Magazine reporting Colorado Timberline’s management announced closure, citing a ransomware attack that happened earlier in the year.

In the Colorado Timberline incident, the ransomware got onto their systems and locked their files. This is often how ransomware campaigns play out. Unfortunately, the ransomware wasn’t the one where they could just pay and get their systems up and running. The company had to announce that they were closing abruptly due.

Poor Key Management

In the cybersecurity world, digital keys are incredibly important to online operations.

In a telling example that InfoWorld called “Murder in the Amazon Cloud,” Code Spaces, a company that hosted source code repositories did the equivalent of leaving the keys in the car. When its AWS control panel was compromised by an attacker who took S3 object storage buckets and other key resources. Taking those pieces out of the puzzle led to the company’s eventual demise.

Next Steps

Did we miss any examples of cybersecurity breach bankruptcy? I’m sure we did. There were several cases we found where we suspected that a cybersecurity incident caused a company to go out of business. We didn’t opt to include a case where there wasn’t clear evidence that the breach was the main driver. Please send us a message about companies that we may have missed.

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].

NIST Cybersecurity Resources During the Shutdown

January 9, 2019

Grant National Memorial and NIST Cybersecurity Resources during the shutdown. REUTERS/Mike Segar

They did what?

During the government shutdown, which has now gone on for over two weeks, the clever folks at the National Institute of Standards and Technology (NIST) took down many of the resources that the cybersecurity community relies on to help protect society.

The NIST Cybersecurity department has indispensable frameworks and other tools that cybersecurity professionals use every day. These resources have been created over the years by some of the best minds in cybersecurity. Many volunteers have assisted in heroic efforts to help us improve our cybersecurity positioning in a world where hackers, digital pirates and malware operators always seem to be just around the corner.

The government shutdown obviously does not fund all ongoing operations – but even during this “partial shutdown,” the NIST website is up. So, the government is not saving any money by taking the site down. NIST just crippled portions of the website so that we could not access the documentation that taxpayers have spent millions of dollars on.

Other government departments have put up a notice that says, “Due to the lapse in federal funding this website will not be actively managed.” Why actually remove access to some of the already existing resources that taxpayers use routinely? NIST Cybersecurity’s behavior is infuriating to those who rely on having NIST around to help with cybersecurity progress – the shutting down of these key resources seems arbitrary, and evokes a powerful reaction from people who care about the state of our digital resources.

Stages of Shutdown Grief

If you’re like many of us frustrated by these capricious changes, you may have gone through some of these “Five Stages of Shutdown Grief” on the way to an understanding of the situation.

Denial – No, they wouldn’t take down this content. This behavior will help the bad guys, and it won’t save any money. It takes more effort to change the site than to keep it as it was, anyway.
Anger – I can’t believe that they did this! Their childish behavior is infuriating.
Bargaining – Well, maybe we can get access to some of the resources despite the shutdown.
Depression – There’s nothing that we can do. I might as well just leave the floodgates open to hackers.
Acceptance – Okay, the resources aren’t there, but the knowledge is still out there. It is just harder to access it. Maybe we can make it easier to get the information in one place.

NIST Cybersecurity resource availability

All NIST Cybersecurity sites are not down. The National Vulnerability Database (NVD) is funded. It’s up and running. The NVD is the site that allows users to report and receive vulnerability information.

That’s good – but the bad news is that most of the other NIST Cybersecurity content is not available. This really puts a wrench in the spokes when it comes to circling the wagons and keeping businesses and individuals secure in a time when cybercrime and cyberattacks are rampant.

What We Should Do for Future Government Shutdowns

Given the current state of political discord, we should expect future government shutdowns. This unfortunate fact should drive some future decision-making. Here are some concrete recommendations for us to follow, as a country and as individuals, to be able to deal with these kinds of unfortunate situations more easily:

Congress should prohibit NIST from taking down static cybersecurity content from their website in the event of a future shutdown.
The Secretary of Commerce should fire the person who made the decision to take down this NIST cybersecurity content. Cybersecurity is hard enough without having resources that we depend on being yanked out of our hands. Undoubtedly, this person was not acting in the best interest of the United States.
All of us in the cybersecurity profession should click “download” the next time we access content on the NIST website. That way if the materials are suddenly taken down, we still have a copy. I am kicking myself for not doing it for certain documents that I access frequently.
A large company with good intentions should scan and mirror the NIST Cybersecurity content onto one of their servers and put it up in the event of a future government shutdown. They’ll be heroes!

NIST Cybersecurity content during the shutdown<

We at Fractional CISO decided to take matters into our own hands. Using a bunch of NIST files from our archives, we started a GitHub repository with NIST Cybersecurity PDFs. Here it is: https://github.com/fractional-ciso/NIST-Cybersecurity-Documents

We are betting that other folks in the cybersecurity community have NIST Cybersecurity documentation as well. We are looking to populate the repository with the most important NIST Cybersecurity files. Some have already contributed. Thank you! If you have some of this content, then please do one of the following:

Contribute to the GitHub project. Here’s how to do it.
Ask to be a collaborator.
Contact us and get us the files.

We appreciate everyone’s help in this effort.

Next Steps

This article originally appeared on the Fractional CISO blog.

Monthly Archives: January 2019